473,657 Members | 2,380 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

submitted for your amusement...

Hi,

Thought you might get a kick out of this. It happened a few days ago.

A couple years ago I set up a small database to hold the Portfolio information
(we're an ad agency) of the company I work for. It had categories like Posters,
Billboards, Logos, Jingles, etc. and examples of each. The PHP/MySQL backend
fed the info to a Flash file, which displayed the text, graphics and
multimedia.

I was quite a bit less experienced then than I am now and decided not to
password protect the directory I use to administer the database until the
development was finished. There was no real data in it yet, so why bother?
Needless to say, I forgot to password protect it, even after I entered the live
data.

Skip ahead to last week.

My boss asked me to look at the Portfolio. It seems he was demonstrating it to
a client and it was empty. Checking the DB from the command line, I realized
all the data was gone. "Someone hacked the site!", was my first thought, but I
quickly re-discovered that there was no password protection and my heart sank.
"They just guessed at the URL and deleted everything", was my next thought. But
I thought it weird that they'd delete everything, but not add a category like
"Windoze sux0rs!" or something equally witty. I checked the logs, vowing to
make the bastards pay. I found they did it about 2 weeks previous and noted
their IP. I also noticed their browser was "ia_archive r", which rang a bell but
I couldn't quite figure out where I knew that name. On to ARIN to look up who
the IP belongs to... Answer: Alexa Internet. "Alexa" sounded familiar too.
They make the toolbar I use to help track our sites' popularity. I wondered if
they were also an ISP. Probably not, they didn't have many IP addresses.

Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
bot then crawls the sites you visit and ranks them. The "delete" button on the
portfolio script was a simple link, with only a Javascript confirmation (I'm the
only one who updates the portfolio, so why bother with real buttons and a real
confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
the site and deleted every damn record and I was the one who not only left the
door open, but showed it where it was...

Happy Ending: our hosting company had backup tapes. They sent me the files, I
installed them and everything's back up and running.

Oh, and I set up password protection :o)

Shawn
--
Shawn Wilson
sh***@glassgian t.com
http://www.glassgiant.com
Jul 17 '05 #1
5 2770
"Shawn Wilson" <sh***@glassgia nt.com> wrote in message
news:3F******** *******@glassgi ant.com...
Happy Ending: our hosting company had backup tapes. They sent me the files, I installed them and everything's back up and running.


well, if there were no tapes, maybe you would find your pages in Alexa
internet archieve, I mean Alexa bot collected them for that purpose ;>>

rush
--
http://www.templatetamer.com/

Jul 17 '05 #2
On Thu, 18 Sep 2003 15:42:31 -0300, Shawn Wilson <sh***@glassgia nt.com> wrote:
Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
bot then crawls the sites you visit and ranks them. The "delete" button on the
portfolio script was a simple link, with only a Javascript confirmation (I'm the
only one who updates the portfolio, so why bother with real buttons and a real
confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
the site and deleted every damn record and I was the one who not only left the
door open, but showed it where it was...


Heh - ouch.

This is covered in the HTML specification of course :-)

http://www.w3.org/TR/html4/interact/...#submit-format

"The "get" method should be used when the form is idempotent (i.e., causes no
side-effects). Many database searches have no visible side-effects and make
ideal applications for the "get" method.

If the service associated with the processing of a form causes side effects
(for example, if the form modifies a database or subscription to a service),
the "post" method should be used."

It's also why I'm hesitating running any sort of search engine on the intranet
at work!

--
Andy Hassall (an**@andyh.co. uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)
Jul 17 '05 #3
He mean his mysql database content, and this can't be archived by a bot.
"rush" <pi**@rush.aval on.hr> a écrit dans le message de
news:bk******** **@ls219.htnet. hr...
"Shawn Wilson" <sh***@glassgia nt.com> wrote in message
news:3F******** *******@glassgi ant.com...
Happy Ending: our hosting company had backup tapes. They sent me the

files, I
installed them and everything's back up and running.


well, if there were no tapes, maybe you would find your pages in Alexa
internet archieve, I mean Alexa bot collected them for that purpose ;>>

rush
--
http://www.templatetamer.com/

Jul 17 '05 #4
"Savut" <we***@hotmail. com> wrote in message
news:Ms******** ***********@new s20.bellglobal. com...
He mean his mysql database content, and this can't be archived by a bot.


I understood that, I just made a joke. (as indicated by smilley at the end)

rush
--
http://www.templatetamer.com/

Jul 17 '05 #5
Andy Hassall wrote:

On Thu, 18 Sep 2003 15:42:31 -0300, Shawn Wilson <sh***@glassgia nt.com> wrote:
Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
bot then crawls the sites you visit and ranks them. The "delete" button on the
portfolio script was a simple link, with only a Javascript confirmation (I'm the
only one who updates the portfolio, so why bother with real buttons and a real
confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
the site and deleted every damn record and I was the one who not only left the
door open, but showed it where it was...


Heh - ouch.

This is covered in the HTML specification of course :-)

http://www.w3.org/TR/html4/interact/...#submit-format

"The "get" method should be used when the form is idempotent (i.e., causes no
side-effects). Many database searches have no visible side-effects and make
ideal applications for the "get" method.


I realize that now. Like I said, I did this a while ago. I didn't see the harm
at the time. I do now.

I read and I forget.
I see and I remember.
I do and I understand.

Shawn
--
Shawn Wilson
sh***@glassgian t.com
http://www.glassgiant.com
Jul 17 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
7903
Stopping blank form fields being submitted.
by: Batezz | last post by:
I have created a form (below) How do I stop it redirecting to another page (productsearchresults.php) when form is submitted if both the fields are blank? Any help appreciated. Batezz
PHP
192
9448
Decompiler.NET reverse engineers your CLS compliant code
by: Vortex Soft | last post by:
http://www.junglecreatures.com/ Try it and tell me what's happenning in the Microsoft Corporation. Notes: VB, C# are CLS compliant
C# / C Sharp
5
1181
For Your Amusement...
by: Mike Labosh | last post by:
I am teaching a class at a local client's office to bring some VBA and Fox programmers up to speed on VB.NET. Four days of training to cover Forms, Web Apps, Services, XML, Console Apps, Classes, etc rough week. The client tonight gave me a copy of a gigantic 4-project system written by an "outsourced" company, code written in Moscow, that has hundreds of
Visual Basic .NET
6
2147
through which submit button the form was submitted
by: stellstarin | last post by:
I have a HTML page containing two submit buttons in the same form.When the form is submitted,I want to know through which submit button the form was submitted. Is there any event or property which identifies this?
Javascript
1
4692
Refreshing / requerying GridView control when page is submitted?
by: planetthoughtful | last post by:
Hi All, I have an ASP.NET page that is used to insert records into an SQL Server table (see previous post). I also have a GridView on the same page that displays the results of a query on the same table the records are inserted into when the page is submitted. I'm wondering if there's a way to requery / refresh the records being displayed by the GridView when the page is submitted?
C# / C Sharp
8
1531
automating email with links to records just submitted to an SQL DB using asp.net (vb)
by: Jimbo | last post by:
Hello I am currently designing an internal ordering system for IT equipment. I am designing it in ASP.NET (vb) using Visual Studio 2003 and using Microsoft SQL Server I have got the system to add the order into the database and assign it a unique ID ("EITReqCode"), and made it e-mail the it purchaser via SMTP automatically with a link to the "Authorisation" page where they
ASP.NET
0
5151
The request could not be submitted for background processing
by: Kalpesh | last post by:
Hi All, I am using .net crystal reports to develop the reports. The version of crystal report assemblies is 10.2.3600.0. When i run the reports i got following error. #region Retry Report Data into Dataset if (criteria == "") { dsregional = new DataSet();
.NET Framework
9
4662
updating asp:HiddenField using a foreach of submitted values?
by: Kevin Blount | last post by:
Here's the code I tried, and found it failed... <form runat="server" method="post" name="CreditCardForm" id="CreditCardForm"> <% foreach (object item in Request.Form) { if (item.ToString().IndexOf("__") != 0) { //Response.Write(item + " = " + Request.Form +
C# / C Sharp
2
1641
C In Your Brain Quick answer
by: oorga.power | last post by:
Our 90 % percent work based on our mind. all the successful person of this world won from mind. C Langugae is great language, it needs logics. Logics can only give your logical part of brain, just awake to it. to know more-- mail to me at oorga.power@gmail.com You can be Albert Eynsteen, Pablo Picso, Henri Ford . your have the same power they were had, you can awake to your mind through meditation. http:\\oorga.tripod.com You can...
C / C++
0
8306
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8825
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8732
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8605
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7327
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6164
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5632
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4152
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
2
1955
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us